To avoid any possibility of uninitialized memory.
The exceptions are:
- where the allocation is immediately overwritten by a memcpy or struct copy.
- arrays of structs to avoid any performance impact (except when the
array is returned by the public API).
Pixman 0.42.3 added PIXMAN_r8g8b8_sRGB to pixman_format_code_t. CI
fails if it is missing from switch statements. Building with pixman <
0.42.3 will fail if the enum is used. So put it in a versioned #if.
We don't use it anywhere outside of the image surface, so there's no
need to make it a project-wide private function.
The name is also updated: it's a cairo function, so it should not abuse
the pixman namespace.
The original "slim" symbol rewriting was added without any shred of a
set of performance evaluation, and mostly copy-pasted from a very early
version of pixman. Pixman itself never used them, and most C
libraries—like GLib and GTK—have dropped similar mechanisms over the
past 15 years, as linkers have improved considerably in the meantime.
Modern linkers provide functionality to avoid intra-library PLT jump
through flags like `-Bsymbolic-functions`; we should use that, instead,
and keep the code base more maintainable and debuggable.
This avoids the risk of encountering undefined behavior when computing the `pixel` pointer (even though it won't actually be used) in the case where the image width or height is zero and the data is NULL. (Observed when called from cairo_pdf_surface code when an extreme scaling transform was present, though I guess there are probably other ways to end up with such an image.)
IGT wants to add support for planes with a bit depth >10, which
requires a higher precision format than we have currently.
I'm using RGBA as format, because of its existence in OpenGL.
With the new formats we can directly convert our bytes to half float,
or multiply a colro vector with a matrix to go to the Y'CbCr colorspace.
This requires pixman 0.36.0, so bump the version requirement.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: Bryce Harrington <bryce@bryceharrington.org>
_cairo_malloc(0) always returns NULL, but has not been used
consistently. This patch replaces many calls to malloc() with
_cairo_malloc().
Fixes: fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Doxygen is interpreting the leading 0. as starting an ordered list, and
misformatting the HTML documentation.
Issue reported by Артур Галямов.
Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
Fixes the following compiler warning:
cairo-image-surface.c: In function '_cairo_format_from_pixman_format':
cairo-image-surface.c:93: warning: enumeration value 'PIXMAN_a8r8g8b8_sRGB' not
handled in switch
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=58726
Signed-off-by: Uli Schlachter <psychon@znc.in>
Based on a patch and analysis by Michael Henning.
When we create a similar-image surface for win32, we set up a couple of
back references from the image to the win32 surface, and vice versa. We
need to be careful when decoupling the reference cycle to avoid chasing
around the loop upon destruction. Currently we handled destroying the
similar-image via the parent win32 surface, but similar precaution is
required when destroying the surface via the similar-image.
Reported-by: Michael Henning <drawoc@darkrefraction.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=63787
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Victor Goya found that we ended up leaking memory after reading a PNG
into an image surface and drawing that onto a PDF surface. In
particular, he discovered that
commit 0bfd2acd35
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Mon Aug 13 01:34:12 2012 +0100
xlib: Implement SHM fallbacks and fast upload paths
introduced a path to steal the image data for a snapshot (and thereby
avoid a redundant copy), but that path then lead to the leak of the
"owned" data.
Reported-by: Victor Goya <victor.goya@af83.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
The GL backend would like to extract a rectangle from another surface
and convert it to a different pixel format. The
_cairo_image_surface_create_from_image() does that by returning a new
image that has the contents of the specified rectangle in the source
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
We use the parent as a flag during map-to-image/umap-image that the
resultant image came from a fallback rather than as direct call
to the backend's map_to_image(). Whilst we use it as a simple flag,
we need to make sure the parent surface obeys the reference counting
semantics and is consistent for all callers.
Unlike other users of the parent pointer, there is no resource sharing
between the two surfaces.
Reported-by: Henry Song <henry.song@samsung.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cairo backends often need to map/unmap to a raster surface but they
don't care about the pixel format, as Pixman will be doing the format
handling.
Cairo users cannot know how to access the raw data if the format is
invalid.
The two different scenarios call for different guarantees on the
returned surface.
The private map/unmap functions also makes it possible to simply
return the status upon unmapping.
The following Python script was used to compute "Since: 1.X" tags,
based on the first version where a symbol became officially supported.
This script requires a concatenation of the the cairo public headers
for the officially supported beckends to be available as
"../../includes/1.X.0.h".
from sys import argv
import re
syms = {}
def stripcomments(text):
def replacer(match):
s = match.group(0)
if s.startswith('/'):
return ""
else:
return s
pattern = re.compile(
r'//.*?$|/\*.*?\*/|\'(?:\\.|[^\\\'])*\'|"(?:\\.|[^\\"])*"',
re.DOTALL | re.MULTILINE
)
return re.sub(pattern, replacer, text)
for minor in range(12,-2,-2):
version = "1.%d" % minor
names = re.split('([A-Za-z0-9_]+)', stripcomments(open("../../includes/%s.0.h" % version).read()))
for s in names: syms[s] = version
for filename in argv[1:]:
is_public = False
lines = open(filename, "r").read().split("\n")
newlines = []
for i in range(len(lines)):
if lines[i] == "/**":
last_sym = lines[i+1][2:].strip().replace(":", "")
is_public = last_sym.lower().startswith("cairo")
elif is_public and lines[i] == " **/":
if last_sym in syms:
v = syms[last_sym]
if re.search("Since", newlines[-1]): newlines = newlines[:-1]
if newlines[-1].strip() != "*": newlines.append(" *")
newlines.append(" * Since: %s" % v)
else:
print "%s (%d): Cannot determine the version in which '%s' was introduced" % (filename, i, last_sym)
newlines.append(lines[i])
out = open(filename, "w")
out.write("\n".join(newlines))
out.close()
Documentation comments should always start with "/**" and end with
"**/". This is not required by gtk-doc, but it makes the
documentations formatting more consistent and simplifies the checking
of documentation comments.
The following Python script tries to enforce this.
from sys import argv
from sre import search
for filename in argv[1:]:
in_doc = False
lines = open(filename, "r").read().split("\n")
for i in range(len(lines)):
ls = lines[i].strip()
if ls == "/**":
in_doc = True
elif in_doc and ls == "*/":
lines[i] = " **/"
if ls.endswith("*/"):
in_doc = False
out = open(filename, "w")
out.write("\n".join(lines))
out.close()
This fixes most 'documentation comment not closed with **/' warnings
by check-doc-syntax.awk.
In the midst of trying to simply export the
_cairo_image_surface_get_font_options() for subclassing, I accidentally
decoupled it from the image surface backend. Mea culpa.
Fixes regression from 8bea52bb (Add preliminary damage tracking), which
should not have even touched the backend structure except for an ugly
rebasing.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
As we return the child image to the user and so perform the reference
tracking on it and not the parent win32 display surface, we need to add
a call to destroy the parent from the image surface. This of course
complicates the normal scenario of destroying the parent first, and so
in that case we need to unhook the image->parent before freeing the
surface->image.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
This is initially based around the requirements for handling internal
fallbacks to the image compositor and reducing the number of pixels
required to be transferred.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Rewrite the directfb backend as nothing more than a simpler image
compositor onto a shadowfb that is flushed back to the dfb surface as
required. Future refinements would be to add damage tracking, and to mix
the useful directfb operations (such as solid fills and alpha blends).
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Having spent the last dev cycle looking at how we could specialize the
compositors for various backends, we once again look for the
commonalities in order to reduce the duplication. In part this is
motivated by the idea that spans is a good interface for both the
existent GL backend and pixman, and so they deserve a dedicated
compositor. xcb/xlib target an identical rendering system and so they
should be using the same compositor, and it should be possible to run
that same compositor locally against pixman to generate reference tests.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
P.S. This brings massive upheaval (read breakage) I've tried delaying in
order to fix as many things as possible but now this one patch does far,
far, far too much. Apologies in advance for breaking your favourite
backend, but trust me in that the end result will be much better. :)
Printing PDFs with large monochrome or grayscale images would result
in the images being blown up to 24-bit color images. Some printers are
very slow to print huge color images.
The clip surface is no longer cached on the clip and the caller is
responsible for destroying it after use.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
